apiVersion: v1
kind: Pod
metadata:
  name: clamav
  labels:
    app.kubernetes.io/name: clamav
    app.kubernetes.io/part-of: clamav
  annotations:
    # Setting spec.force to true will make Flux recreate the Pod when any
    # immutable field is changed, forcing the Job to run every time the
    # container image tag changes.
    kustomize.toolkit.fluxcd.io/force: enabled
spec:
  automountServiceAccountToken: false
  containers:
  - command:
    - /entrypoint.sh
    env:
    - name: container
      value: docker
    image: harbor.corp1.majordomo.ru/nixos/container-systemd:25ce5a88
    livenessProbe:
      exec:
        command:
        - /run/current-system/sw/bin/systemctl
        - is-system-running
      failureThreshold: 100
      periodSeconds: 10
      timeoutSeconds: 15
    name: nixos-systemd
    resources:
      limits:
        cpu: 8000m
        memory: 8Gi
      requests:
        cpu: 100m
        memory: 1Gi
    securityContext:
      capabilities:
        add:
        - NET_ADMIN
        - NET_BIND_SERVICE
        - NET_RAW
        - SYS_ADMIN
        - SYS_NICE
        - SYS_TIME
    tty: true
    volumeMounts:
    - mountPath: /run
      name: run
    - mountPath: /tmp
      name: tmp
  - image: docker-registry.wugi.info/networking/3proxy:latest
    name: 3proxy
    resources:
      limits:
        memory: 512Mi
    volumeMounts:
    - mountPath: /etc/3proxy.cfg
      subPath: 3proxy.cfg
      name: 3proxy-configuration
    ports:
    - containerPort: 888
      name: 3proxy
      protocol: TCP
  - image: nixery.dev/shell/coreutils/util-linux/iptables/iproute2/netcat-openbsd/tcpdump
    name: nixery
    command:
    - /bin/sh
    - -c
    - |
      set -o nounset -o errexit -o pipefail -o xtrace
      private_networks=(
          10.0.0.0/8
          172.16.0.0/12
          192.168.0.0/16
      )
      iptables -t nat -N TOR
      for network in "${private_networks[@]}"
      do
          iptables -t nat -A TOR -d "$network" -j RETURN
      done
      iptables -t nat -A TOR -p tcp -j REDIRECT --to-ports 888
      iptables -t nat -A OUTPUT -p tcp -j TOR
      exec /bin/sleep infinity
    securityContext:
      capabilities:
        add:
        - NET_ADMIN
        - NET_BIND_SERVICE
        - NET_RAW
    resources:
      limits:
        memory: 512Mi
  volumes:
  - emptyDir:
      medium: Memory
      sizeLimit: 512M
    name: run
  - emptyDir:
      medium: Memory
      sizeLimit: 2G
    name: tmp
  - name: 3proxy-configuration
    configMap:
      name: 3proxy-configuration
